Provenance
Authentication

OAuth (Client Credentials)

Machine-to-machine authentication using OAuth 2.0 client credentials.

For automated systems, CI/CD pipelines, and service-to-service integrations, Provenance supports the OAuth 2.0 Client Credentials grant. This gives you short-lived access tokens with fine-grained scope control — ideal when you don't want to share a long-lived API key.

How it works

  1. Create an OAuth App from the platform dashboard.
  2. Use the client_id and client_secret to request an access token.
  3. Use the access token in the Authorization: Bearer header.
  4. Tokens expire after 1 hour — request a new one when needed.

Creating an OAuth app

Navigate to OAuth Apps in the platform dashboard.

  1. Click Create OAuth App.
  2. Enter a name and optional description.
  3. Select the scopes your app needs (see Scopes below).
  4. Copy the client_id and client_secret — the secret is only shown once.

Create OAuth App dialog

Once created, you'll see the client_id and client_secret. Copy the secret immediately — it's only shown once.

OAuth app created with credentials

Requesting a token

curl -X POST https://provenance-web.onrender.com/oauth/token \

Response:

{
  "access_token": "oat_...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "interactions:write interactions:read"
}

Using the token

Pass the token in the Authorization header:

curl https://provenance.onrender.com/api/interactions \

The token is validated against your tenant's schema — it automatically resolves to the correct tenant without needing x-api-key.

Scopes

Scopes control what the token can access. Select only the scopes your integration needs.

ScopeDescription
interactions:readRead interactions, traces, activity search
interactions:writeCreate new interactions
dashboards:readView dashboards, widgets, and analytics queries
dashboards:writeCreate and manage dashboards and widgets
alerts:readView alerts, metrics, and audit logs
alerts:writeCreate and manage alerts
subscriptions:readView subscribers, subscriptions, and queue
subscriptions:writeManage subscribers and subscriptions
config:readView resource types, actions, and origins
config:writeCreate and manage resource types, actions, and origins
system:readView adapters, adapter settings, global config, and functions
system:writeManage adapters, adapter settings, global config, and functions
secrets:readView secrets and secret providers
secrets:writeManage secrets and secret providers
inbound:readView inbound sources and mappings
inbound:writeManage inbound sources and mappings
users:readView users, roles, and permissions
users:writeManage users, roles, and permissions
adminFull access — equivalent to API key

Managing OAuth apps

From the OAuth Apps page you can:

  • View all apps — see client ID prefix, scopes, last used date, and status.
  • Edit — update name, description, or scopes.
  • Rotate secret — generate a new client secret (invalidates the old one).
  • Revoke — permanently deactivate the app and all its tokens.

OAuth apps overview

Token lifecycle

  • Tokens expire after 1 hour (3600 seconds).
  • There is no refresh token — request a new access token when the current one expires.
  • Revoking an OAuth app immediately invalidates all tokens issued by that app.
  • Rotating the client secret does not invalidate existing tokens (they expire naturally).

OAuth vs API keys

API KeyOAuth Token
LifetimeUntil revoked1 hour
ScopeFull accessFine-grained scopes
Best forSimple integrations, CLI, SDKCI/CD, service-to-service, least-privilege
Headerx-api-keyAuthorization: Bearer
RotationManual from dashboardAutomatic (request new token)

Example: GitHub Actions with OAuth

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Get Provenance token
        id: token
        run: |
          RESPONSE=$(curl -s -X POST https://provenance-web.onrender.com/oauth/token \
            -H "Content-Type: application/json" \
            -d '{
              "grant_type": "client_credentials",
              "client_id": "${{ secrets.PROV_CLIENT_ID }}",
              "client_secret": "${{ secrets.PROV_CLIENT_SECRET }}"
            }')
          echo "token=$(echo $RESPONSE | jq -r .access_token)" >> $GITHUB_OUTPUT

      - name: Record deployment
        run: |
          curl -X POST https://provenance.onrender.com/api/interactions \
            -H "Authorization: Bearer ${{ steps.token.outputs.token }}" \
            -H "Content-Type: application/json" \
            -d '{
              "resourceId": "${{ github.repository }}",
              "resourceTypeId": "DEPLOYMENT",
              "actionId": "CREATE",
              "originId": "GITHUB_ACTIONS",
              "interaction": {"sha": "${{ github.sha }}"}
            }'

API Keys

Authenticate with the Provenance API using API keys.

Overview

The Provenance Dashboard — your command center for provenance tracking, analytics, and monitoring.

On this page

How it worksCreating an OAuth appRequesting a tokenUsing the tokenScopesManaging OAuth appsToken lifecycleOAuth vs API keysExample: GitHub Actions with OAuth